XML 55 R39.htm IDEA: XBRL DOCUMENT v3.25.0.1
Cybersecurity Risk Management and Strategy Disclosure
 12 Months Ended
Dec. 31, 2024
Cybersecurity Risk Management, Strategy, and Governance [Line Items]  
Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]

Cybersecurity and Risk Management

The Company’s cybersecurity risk management processes are integrated into the overall risk management process managed by the Chief Risk Officer through reporting of cyber risks to the Information Security Steering Committee (ISSC). The cybersecurity risk management processes will be transitioned under the Chief Information Officer’s division for the 2025 year. The ISSC is chaired by the Managing Director of Information Security, who has 18 years of information technology (IT) and information security experience in the financial services industry. Key metrics are monitored on an ongoing basis by the IT Risk Management and IT Security teams, with oversight by the ISSC. IT Risk Management performs regular information security-focused risk assessments, including but not limited to assessments based on the Center for Information Security Controls Self-Assessment Tool and Ransomware Self-Assessment Tool aligned to the Federal Financial Institutions Examination Council standards.

IT Risk Management maintains processes for prevention, detection, and mitigation of cybersecurity incidents. The Company maintains an Incident Response Plan (IRP) that covers response and remediation processes for managing cybersecurity incidents. The Incident Response Team (IRT) members include senior management and other relevant personnel, with defined roles and responsibilities. IRP metrics related to monitoring and detection are presented to the ISSC and reported to the board. The IRT is notified of all incidents, and incidents are elevated to the board when warranted.

Risks from Cybersecurity Threats

In the last fiscal year, the Company did not experience any material cybersecurity incidents. For additional discussion of cybersecurity-related risks facing the Company, see Item 1A. Risk Factors.
Cybersecurity Risk Management Processes Integrated [Flag] true
Cybersecurity Risk Management Processes Integrated [Text Block] The Company’s cybersecurity risk management processes are integrated into the overall risk management process managed by the Chief Risk Officer through reporting of cyber risks to the Information Security Steering Committee (ISSC).
Cybersecurity Risk Management Third Party Engaged [Flag] true
Cybersecurity Risk Third Party Oversight and Identification Processes [Flag] true
Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag] false
Cybersecurity Risk Board of Directors Oversight [Text Block]

Board Oversight

In connection with the board’s oversight of risk management, cybersecurity updates are provided to the board at least quarterly, including, but not limited to, the following materials: Annual Gramm-Leach-Bliley Act Information Security Program (ISP) Report, IT Risk Management and IT Security Metrics, Penetration Testing and Tabletop Exercise updates, IT Risk Assessments, Disaster Recovery Test Results, Third Party Risk Management Metrics, Incident Response Metrics, Security Awareness Training Metrics and additional cybersecurity education topics.
Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block] Information Security Steering Committee (ISSC)
Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]

The Company’s cybersecurity risk management processes are integrated into the overall risk management process managed by the Chief Risk Officer through reporting of cyber risks to the Information Security Steering Committee (ISSC). The cybersecurity risk management processes will be transitioned under the Chief Information Officer’s division for the 2025 year. The ISSC is chaired by the Managing Director of Information Security, who has 18 years of information technology (IT) and information security experience in the financial services industry. Key metrics are monitored on an ongoing basis by the IT Risk Management and IT Security teams, with oversight by the ISSC. IT Risk Management performs regular information security-focused risk assessments, including but not limited to assessments based on the Center for Information Security Controls Self-Assessment Tool and Ransomware Self-Assessment Tool aligned to the Federal Financial Institutions Examination Council standards.

Cybersecurity Risk Role of Management [Text Block]

IT Risk Management maintains processes for prevention, detection, and mitigation of cybersecurity incidents. The Company maintains an Incident Response Plan (IRP) that covers response and remediation processes for managing cybersecurity incidents. The Incident Response Team (IRT) members include senior management and other relevant personnel, with defined roles and responsibilities. IRP metrics related to monitoring and detection are presented to the ISSC and reported to the board. The IRT is notified of all incidents, and incidents are elevated to the board when warranted.

Cybersecurity Risk Management Positions or Committees Responsible [Flag] true
Cybersecurity Risk Management Positions or Committees Responsible [Text Block] Chief Risk Officer
Cybersecurity Risk Management Expertise of Management Responsible [Text Block] The ISSC is chaired by the Managing Director of Information Security, who has 18 years of information technology (IT) and information security experience in the financial services industry.
Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block] The Incident Response Team (IRT) members include senior management and other relevant personnel, with defined roles and responsibilities. IRP metrics related to monitoring and detection are presented to the ISSC and reported to the board. The IRT is notified of all incidents, and incidents are elevated to the board when warranted.
Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag] true